Comment here

Is Aadhaar a blunder? Seven reasons to worry

Civil Society News , New Delhi

In Civil Society, we have been tracking Aadhaar much before it became Aadhaar. Our interview with Nandan Nilekani in May 2010 was all about choice and inclusion.

An identification number, as it was envisaged then, was specifically meant to help the poor and disenfranchised. It was one of many IDs. Most important it was optional and not mandatory.

Nilekani said to us in that interview: “The purpose of this programme is very clear. It is about inclusion. It is about the fact that there are a few hundred million people in this country who don’t have any form of identity, who don’t have a birth certificate, who don’t have a school certificate, 75 million homeless people…they are the ones who are suffering due to lack of identity.”

In seven years, much has changed. The poor, for whom it was meant, complain that they can’t access their benefits because of biometric glitches and lack of connectivity. There have been starvation deaths in Jharkhand because people can’t get their rations.

Millions and millions of disabled and aged people as well as labourers find Aadhaar a problem because they cannot meet its biometric requirements.

Aadhaar is still optional on paper but mandatory in the way the government implements it. Huge power is put in the hands of the government by linking everything from bank accounts to mobiles and tax returns to Aadhaar.

In 2010, the offices of the Unique Identification Authority of India (UIDAI) in Connaught Place had the energetic mood of a start-up. Nilekani himself was reaching out to state governments and NGOs to garner support for his idea.

But these days, faced with criticism, Nilekani is defensive and complains of an orchestrated campaign. In the run-up to the Supreme Court’s hearings on petitions against Aadhaar, he has weighed in with a signed article in a newspaper insisting that Aadhaar is secure and that the personal data of citizens can’t be accessed.

But the fact is that there have been breaches, the most recent being documented by the Tribune in Chandigarh.

So, is Nilekani right or wrong? We asked Nikhil Pahwa, founder of MediaNama, to give us his criticisms of Aadhaar and why he thinks Nilekani is dead wrong in his assertions.

Pahwa, 36, is a digital rights activist and founder of the feisty MediaNama portal. He is a close watcher of developments regarding the Internet and telephony and was the first to flag the issue of net neutrality issue in India. Here are seven reasons why Pahwa thinks Nilekani is wrong and Aadhaar is technologically flawed and gives too much power to the government:

1. BIOMETRICS IS IMPERFECT

Biometrics is an imperfect science. It is not deterministic, it is probabilistic, which means it maps out your biometrics and then when you again press your finger, because there might be dirt on your hands or it might be from a different angle, it tries to match as many points as possible and then beyond a certain percentage it accepts it.

In different circumstances the mapping is going to be different. There are always going to be false negatives, which means your fingerprints will not match your fingerprints that were given to Aadhaar. And there will be false positives, which means someone else’s fingerprints will match yours.

Aadhaar is supposed to fix the problem of corruption and leakages in government schemes. It is supposed to get rations to the correct people. But with biometrics technologically that is not possible. So, there are always going to be people who will be rejected and there are always going to be people who are not the right people who are accepted. It means someone who has cloned fingerprints is more likely to get the rations than someone who hasn’t cloned them because cloning is more exact than fingerprints changing over time.

2. NATIONAL SECURITY RISK

The system is so badly architected and implemented that it is a national security risk because of the level of access that is available.

They have made a permanent ID across databases. If a single number gets compromised it gets compromised everywhere Aadhaar is linked. Rationally that is a bad idea. Federated and independent IDs are safer because if one ID gets compromised only one database gets compromised.

For instance, if your driver’s licence gets compromised only the things to which your driver’s licence is linked get compromised, and no one knows where your driver’s licence is linked as an identification process.

In the case of Aadhaar everyone will know where it is linked and it is a single number that will get compromised. And we have seen people are getting calls saying this is your Aadhaar number, I am calling from so and so bank, etc.

This is because the UIDAI has created tools which allow people to check for this information online as well as through USSD messaging (unstructured supplementary service data built into GSM phones) where they can find out which bank a particular Aadhaar number or mobile number is linked with.

And so, people are capable of collecting these disparate data points and calling you, saying I am calling from such and such bank, please link your Aadhaar number to your account, I am sending you an OTP and they can use that to transfer your money out.

This has already happened to about 20 people; the finance minister has acknowledged it in Parliament. There have been cases reported in the press. It has also happened to an MP in Punjab. So, people are susceptible to these phishing calls. And people are going to get hurt.

Because of the incompetent manner in which Aadhaar has been built, personal identification data has been leaking all over the place. For example, we saw and reported last year that there were several government projects where people’s Aadhaar numbers, names, bank account numbers, father slash husband’s names, addresses and mobile number were uploaded on an Excel sheet on the Internet.

It was only when CIS India put out a report pointing out that in just four schemes the data for about 130 million people had been compromised that the UIDAI issued a directive to take this information off the Internet.

There are now global hackers who are downloading Aadhaar-related apps from the government like the maadhaar app, and looking inside the code and saying that this looks like it has been implemented by interns. They have done very basic mistakes like access to the central database is in some instances through http instead of https, which means that the protocol is not secure.

Last year, in the case of Abhinav Srivastav in Bengaluru, he built an app which used an http connection which the e-Hospital app was using and it was able to authenticate people’s data because the National Informatics Centre (NIC) had implemented the e-hospital app in an incompetent manner.

This is the same thing that the Tribune story proves — that local village agents were given access to the entire database for checking people’s Aadhaar details. When their business was shut down, the UIDAI did not remove that access and they started selling that access forward. We have effectively placed the personal identification data of the citizens of India at great risk.

3. PERMANENT USERNAME

Biometrics is a non-secure way of identification because it is like a permanent password. You can’t change it. And with a permanent Aadhaar number, you can’t change that. It doesn’t make any sense for anyone to have a permanent username and password.

You can change your Gmail account. You can’t change your Aadhaar number. You can keep changing your password every minute if you want, but you can’t change your biometrics. A combination of biometrics and a permanent Aadhaar number effectively compromises every citizen.

4. YOU CAN’T GO TO COURT

Only the UIDAI has the right to go to court if your data gets stolen. That’s a problem because data has been stolen. But it is only up to the UIDAI to go to court. As a citizen, you don’t have rights over your own data. In fact, the UIDAI has consistently refused to answer the question of who owns your data. Is it the Government of India who owns it, is it the citizen who owns it? Is it constitutional to forcefully take this data from us? And we have been forced even though the Aadhaar Act says it is voluntary.

Since only the UIDAI can go to court if the data is stolen, it means I have no right to recourse. That is a constitutional problem if you think about it. Do I own myself or does the State own me? Biometrics are an extension of my person. The relationship between the State and citizen is being reversed, using Aadhaar.

5. NUMBER CAN BE BLOCKED

The UIDAI has complete right under the Aadhaar Act to cancel your Aadhaar number for any reason that they may deem necessary. There is no process, no mechanism, put in place. The Aadhaar Act does mention reasons. But it has this one line that any reason the authority might deem necessary is enough to cancel your number.

That is disproportionate power in the hands of one entity without due process and access to recourse. Especially under the circumstances where everything in your life gets connected to an Aadhaar number.

Imagine if your mobile connection gets blocked because your Aadhaar number gets cancelled. Imagine if your bank account gets frozen. Already it has gone to the point where children are being refused birth certificates and admission to school without Aadhaar.

6. NO MONITORING MECHANISM

The UIDAI has no monitoring mechanism. It has an audit mechanism. The Aadhaar database itself has never been audited. So, we don’t know how many fakes there are in the Aadhaar system because UIDAI has no way of checking unless they authenticate every citizen or resident in the country.

That is the other thing: Aadhaar is for residents and not citizens. We have seen in a recent Pathankot case a Pakistani national living in India for decades had an Aadhaar number. Since the UIDAI doesn’t verify documents, someone can easily get a fake identity card and get an Aadhaar in a fake name which everyone thereafter believes is authentic.

It is also easy to photoshop any information on an Aadhaar card because it is not chip-based. People are accepting any laminated card as an Aadhaar card when it is not.

7. PRIVACY LACKING

The last point is a privacy point. While the UIDAI claims they have only a limited amount of personal data, that data is enough for phishing attacks. The data has also been transferred to state resident data hubs. Now, these hubs have no limitation to the amount of data that they can link to Aadhaar and store.

Andhra Pradesh has started mapping people using the Aadhaar number. In a similar way, they are also tagging Aadhaar numbers with details of traffic violations. Historically, when you needed to connect one dataset to another, legal permission was needed. Aadhaar destroys this boundary between databases and the legal protection that citizens have from an overbearing State.

In most cases, there is no law governing the state data hubs. In the absence of an oversight mechanism in terms of access to this data, any bureaucrat from the government can get access and say, I know your entire history.

We have to think about this from a democratic perspective. From December 2018, the National Intelligence Grid or Natgrid is going to connect 21 databases using Aadhaar as a de-duplication mechanism. In Phase 2 Natgrid is going to connect over 955 databases, public and private.

What differentiates Ajay Kumar in one database from Ajay Kumar in another database? It is that de-duplication ID, which is the Aadhaar number. The ability to monitor citizens without any judicial oversight puts disproportionate power in the hands of the State.

Name:

Email:

Image:

Comment:

Comments

Subhashish Dutta - Feb. 23, 2018, 11:36 p.m.

While I appreciate the points you made in your story and the genuine concern you express, there are a few things that I'd like to point out.
1. On your first point about biometrics not being an exact science, it is not as inexact as it is made out to be. Yes, there can be margins of error which is why 10 fingerprints and then an iris scan are done. Now, what do you think is the probability of two sets of 10 fingerprints and an iris scan matching ? It's very, very low.
2. On your second point, let me correct a more minor point before I address the larger issue. Databases are not directly accessed over http (or for that matter https). Databases have their own protocol. Typically a client (like a mobile app) accesses a public url which kicks off some code that accesses the database using a "driver" software that the database provides. Yes, that url should only be available over https and if it is available over http, someone in the middle can sniff the data that's being sent and received. That is a flaw but can be very easily fixed. It takes a few minutes to change from http to https.
3. Going by the examples of breaches (such as village businesses selling details of people), it looks like the controls around granting and revoking access and mapping types of access to types of data need to be strengthened. That is definitely pluggable but it does look like it was not given enough thought which is surprising considering this kind of access (RBAC - role based access control) is taken for granted in corporates.
In conclusion, while you have done a good job of making a few points, the article is not as well researched as a technical article should be and because of that, it comes across as unnecessarily alarming. The points made do not in any way prove that the basic Aadhaar architecture is flawed from a security perspective. The article doesn't prove (or cite any example of) impersonation using biometrics. If that happens, I'd be as alarmed as you are.

Sanjay Prakash - Jan. 31, 2018, 7:36 a.m.

Inclusion is not going to work, digitally or otherwise, in a society that is hell bent upon inequity as the basis for perpetuating itself